Distributed States Temporal Logic 



Carlo Montangero Laura Semini 

Dipartimento di Informatica, Universita di Pisa, 
{monta, semini}@di.unipi.it 

rn" 

Abstract. We introduce a temporal logic to reason on global applications in an asynchronous 
setting. First, we define the Distributed States Logic (DSL), a modal logic for localities that 
04 ■ embeds the local theories of each component into a theory of the distributed states of the system. 

5_l ' We provide the logic with a sound and complete axiomatization. The contribution is that it is 

£L| possible to reason about properties that involve several components, even in the absence of a 

global clock. Then, we define the Distributed States Temporal Logic (DSTL) by introducing 
temporal operators a la Unity. We support our proposal by working out a pair of examples: a 
simple secure communication system, and an algorithm for distributed leader election. 
The motivation for this work is that the existing logics for distributed systems do not have the 
right expressive power to reason on the systems behaviour, when the communication is based 
■ on asynchronous message passing. On the other side, asynchronous communication is the most 

used abstraction when modelling global applications. 
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The current trend towards global computing needs software that works in an open, concur- 
rent, distributed, high-latency, security-sensitive environment. Besides, this software must 
be reliable, scalable, and "shipped today". Several trends are emerging in response to the 
challenges involved in the development of software with so demanding requirements. 

On one side, there is an increasing interest in the seamless integration of asynchronous 
communication in programming, coordination, and specification languages, since message- 
passing, event-based programming, call-backs, continuations, dataflow models, workflow 
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models etc. are ubiquitous in global computing. Notable examples in this direction can be 
found in the context of the Microsoft .NET initiative, like the introduction of support for 
the delegate-based asynchronous calling model in the libraries of the Common Language 
Runtime |25| . and the proposal of chords in Polyphonic C^ to accommodate asynchronous 
methods in C# |32| . We provide an example of coverage of asynchronous communication in 
coordination and specification languages in |29j . 

Another significant trend is represented by Component-Oriented Programming, that 
aims at producing software components for a software market and for late composition. 
Composers are third parties, possibly the end user, who are not able nor willing to modify 
components. This trend emphasizes the need for high quality specifications that put the com- 
poser into the position to decide what can be composed under which conditions. In a previous 
work with Oikos-aeM |24|22| . a specification language for distributed systems based on asyn- 
chronous communications, we showed how to accommodate asynchronous communication in 
the composition of distributed systems specifications. 

A notable example of component programming in the context of global computing is 
offered by the Web Services [Oj, which leverage the standard representation of data provided 
by XML to foster the construction of new components (services) by the coordination of other 
services. Since the cooperation is based on asynchronous protocols, this is also an example 
of the convergence of asynchronous communications and component programming. 

Formal methods can play a major role in global computing. Precisely because the actors 
are programmatically independent, they need to have reliable ways to share precise knowledge 
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of the artifacts they use or produce, independently of the particular technology (program- 
ming languages, middleware, . . . ) they rely on. Formal methods offer exactly this kind of 
independence and precision, since they provide abstract models to share when operating or 
developing with components. They can provide ways to make precise the specifications of the 
components and of their contextual dependencies, and to prove in advance global properties, 
i.e. that a composition will meet the specifications it addresses. 

In this paper we define DSTL (Distributed States Temporal Logic), an extension of temporal 
logic to deal with distributed systems. In [22] we defined new modalities to name system 
components. Here, we introduce the operators to causally relate properties which might hold 
in distinguished components, in an asynchronous setting. A typical DSTL formula is: 

mp leads_to ngAor (1) 

where the operator leads_to is similar to Unity's i— > (leads to) and m, n, and o express 
locality. Formula (0) says that a property p holding in component m, causes properties q and 
r to hold in future states of components n and o, respectively. An example is the computation 
below. Horizontal arrows denote the sequence of states of a component, oblique arrows denote 
the communications. 

(m) >-P ■> 

At this point a short philosophical note is needed. We tend to think that our operators 
express causality, even though, strictly speaking, they only define temporal relations, i.e. 
that their consequences (right hand side operands) hold after (or before, with past operators) 
their premises (left hand side operands). In fact, in our models, a state in a component is 
after one in another component only if there has been a communication between the two. 
Philosophically, this may not entail a causal relation, but our goal is to specify systems: 
it is natural to think that the communication carries the information needed to cause the 
intended effect. It is in this sense that we use the term causality. 

A similar argument applies locally: the implementation will take care that a state satis- 
fying the consequences is reached, after one satisfying the premises. 

From a technical point of view, the usual choices to build a Kripke model for formulae like (0) 
are to consider the set of worlds W to be one of the following: 

1. the set of the states of a computation, i.e. the union of all the states of the system 
components, like the circles in the following figure. 

(m) O ■ : : -O -O - 

(n) o -o : -o >0 - ; : - 

This choice was adopted in Oikos-acM and has shown some problems. For instance, con- 
sequence weakening, or, more in general, the possibility of reasoning on logical relations 
between formulae like the premises or the consequences of (fT|). is not part of the logic. In 
particular, a formula like 

(n q A m r) — > n q (2) 



- q > 

,.rT 

■>- >- : " >- 



3 

which would permit to weaken the consequences of Q would not be a legal formula, 
since no world can satisfy the conjunction ngAmr, 

2. the set of global states, or snapshots, of the system, where each world is a tuple of states, 
one for each component. These tuples must satisfy some constraints to be coherent with 
the communications between the subsystems. In the figure below, examples of worlds are 
{s l m i Sn)o<j<2' wn ile (s^, 4) would not be a legal world. 

( m ) s° m - 4 
(") 4 4 - s 2 n 

This choice, adopted in many logics for distributed systems (see Section EJ) is not applica- 
ble in the case of asynchronous communication. Think of the case of property p holding 
only in state and q holding only in states si, for < j < 4. The formula 

mp — > n q (3) 



■■-> s; 



would be valid in the model, inferring a remote instantaneous knowledge which is mean- 
ingless in an asynchronous setting. Moreover, it would be natural to say that world 
{s^,, s^} follows {s^j, s^}. In this case, one could assert that np leads.to mq holds, if 
p and q hold in and s^, respectively, even though not even a temporal relationship 
exists between these two states. 

3. a third possibility would be to consider all the fc-tuples of states (where k is the number 
of the system components) as worlds. But then, formula © would be valid in the model 
above if q holds in all the states of component n. Even if this is philosophically more 
acceptable, we claim that a better solution can be found. What is more, this choice is 
not adequate since if we let p and q hold in and s^, respectively, we would like the 
computation above to be a model for mp leads.to n q. On the contrary, world {s^, s^} 
satisfies the premise but is not followed by any state satisfying the consequence. 

The first contribution of our work is to introduce the distributed state logic DSL, that carries 
over all meaningful propositional rules, like and simplification, so that they can be exploited 
orthogonally to any temporal operator. A major consequence of the introduction of DSL is 
that the exploitation of the local theories in the proofs of the distributed properties becomes 
smooth and robust. 

The second part of the paper defines DSTL: we add the temporal operators, and the 
corresponding derivation rules. The semantic domain of DSL, the power-set of the set of 
all system states, even if chosen for technical reasons, makes the full logic DSTL a very 
expressive language, that meets the pragmatic expectations of a designer fully (see Section 
for a discussion). The achievement is that it is possible to reason about properties that 
involve several components, even in the absence of a global clock, the typical assumption in 
an asynchronous setting. 

Section [21 introduces the modal logic DSL, and its sound and complete axiomatization. 
Section |21 defines DSTL as an extension of DSL with the temporal operators. Sections 0] and 
[SI work out a pair of examples: a simple secure communication system, and an algorithm for 
the leader election problem. The last sections cover a discussion of the main design issues, 
related work and future perspectives. 
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2 DSL 

We assume a countable set of propositional letters P, with p,q, . . . ranging over P. The DSL 
well-formed formulae over a finite set of components U = {mi,ni2, • • • , m^} are defined by: 

F ::= p | _L | ~ F \ F A F' \ m-F 

where _L is the propositional constant false, and rrij for i = l...k are unary location operators. 
With rrij we denote the dual of m; , i.e., m^F = ~ m j ~ F. With T we denote true, i.e. T =~ _L. 



2.1 Semantics 

A model M. for DSL formulae is a tuple (W, R\, . . . , Rk, V). Let u, v, w range over W, the 
reachability relations Ri satisfy the following conditions: 

(u, v) eRi -> (v, v) G Ri (4) 
(u, v) G Ri — > (v, w) £ Ri ^> v = W (5) 
(u, v) £ Ri —s- /3-u;. (u, «;) G i?j for j ^ i (6) 

To help the intuition, can be thought as having k disjoint subsets of worlds: we call 
these worlds leaves. Whenever (u, v) & Ri, then v is a leaf for relation Ri, namely an i-leaf. 
Condition © says that Ri is reflexive on i-leaves, conditions © and © say that i-leaves are 
actually leaves: no other world can be reached. An example model is in Section 12.31 where 
the i-leaves are singleton sets, having as unique element a state of component rrii. 



The semantics of the DSL formulae is given by: 
(M, it) |= T 

(M, u) \=p iff p G V(u) 

(M, u) \=~F iff not (M, u) \= F 

{M, u)^FAF' iff (M, u)^F and (M, u) (= F' 

(M, u) H m|F iff 3v. (it,u) G ^ and {M, v) \= F 



2.2 Axiom system 

We propose the following axiomatization for DSL. For the sake of readability, we use m and 
n, with m 7^ n, instead of rrij and rrij. 

PC axioms of the propositional calculus 

K m{F -> F') -» {mF -> mF') 

DSL1 m(mF«F) 

DSL2 mn_L 

F F -> F' F 
MP Nec — 

F' mF 

Theorem 1. XTie axiom system is sound and complete. 

Proof. The soundness of the axioms is easy to see. We prove completeness. 

Let (W DSL ,R? SL , . . -,Rk SL , V DSL ) be the canonical model for DSL: worlds in W DSL 
are maximal consistent sets of DSL formulae fDSL-MCS in the following) , and (u,v) G Rf SL 
if and only if m^F G u — ► F G v. We need to show that, for all i, Rf SL satisfies condi- 
tions 
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Cond. Q): we prove that (u,v) G R® SL — > (v,v) G Ff 51, 

Suppose rfijF £ v. u is a dsl-mcs and hence (see DSL1) rfij(rr)jF — > F) G u. But 



(u,v) G Rf SL , hence rfijF — > F G u. Thus, by modus ponens, F G 
Cond. |3J): we prowe i/iai (u, t> ) G Rf SL and {v, w) G Rf SL imply v = w 

It is sufficient to prove that v Q w. In fact, v and w are dsl-mcs and it is not the case 
that v C w, thus v = w. Let F G v. u is a DSL-MCS and hence (see DSL1) it includes 
rfij(F — > rfijF). But (u,v) G Rf SL , hence F — > rfijF G v. Thus, by modus ponens, 
rfijF G v. As (y,w) G Rf SL , we conclude that F £w. 
Cond. {3J): we prove that (u,v) G R^ SL implies fiw. (v,w) G R® SL , for j ^ i 

Assume {v,w) G R® SL . Asu zsaDSL-MCS, it includes rri j rnj J_ (DSL2). As(u,v) G Rf SL , 
then rfi j _L G v. As (v,w) G Rj , then lew, which is an absurd. □ 

Example 2. The following formulae can be derived. Formulae are followed by the list of 
axioms or rules used in their proof. The proofs are in the appendix. 

axiom 4 mF -> mrfiF [DSL1,K] 

Dl mmF^mF [DSL1,K,PC] 

D2 m(F A F') — > (mF A mF') [PC, Nec, K] 

D3 m(F^F') -> (mF^mF') [Nec, K, MP, PC] 

D4 mF -» (mT -» mF) [D3] 

D5 m(mF^F) [FSF1,FC] 

D6 (m(F -> F') A m(F' — > F")) -» m(F -» F") [iVec, F] 

D7 m(F VF') <-> (mF V mF') [L>3, iVec, F, FC] 

D8 m((mF A mF') -> m(F A F')) [L>5, F6, £>7, Nec, F] 



2.3 A frame of distributed states 

Let Si be the set of states of component mj, with Si n Sj = for i ^ j, S = UiT ' 
FS = 2 s , and ds, ds' G DS. Let (ds,ds') G Fj if and only if ds' is a singleton set {s}, with 
s G Si fl ds. The frame (DS,R\, . . . ,Rk), satisfies conditions @-© above. We call these 
frames frames on DS, and call DS the set of distributed states, from which the name of the 
logic DSL. The frames on DS play a central role in the paper, since they are used to build 
the models for DSTL formulae. 
Some examples follow. 

Example 3. Let the set DS be built on S\ = {s,s'} and S2 = {s"}, then the frame on DS 
can be represented as: 

Hi {S, s"} R 2 




is'} 

u 

Ri 



Note 4- For the sake of readability, when we use m and n, we also use Syyii cind. Sq 



6 



Example 5. If we take s G S m , s' G S n 

(m) - s - 

(«) ~ s' ~ 

with V({s}) = {p}, V({s'}) = {q}, then the distributed state {s,s'} satisfies mp A nq. 

Example 6. The implication m(F A F') — > mF A mF' holds, while the converse does not. 
Indeed, for ds = {s, s'} C S m 

(m) - s - s > - 

and U({s}) = {p}, V({s'}) = {q}, we have ds (= mp A mq, but not ds (= m (p A g). With an 
eye to the full logic DSTL, this non-equivalence is useful to specify that an event can have 
different future effects in a component, without constraining them to occur in the same state 
(see Section for further discussion). 

Example 7. The formula mr\F is false. In fact, ds \= mr\F if and only if there exists an 
s G S n n S m n ds such that {s} \= F, but no such s can exist since S m and S n are disjoint. 
Conversely, mmi 7 is satisfiable, and it is equivalent to ir\F. 

Example 8. The formula mT is satisfied by all the distributed states ds such that dsPiS m ^ 0. 



3 DSTL 

DSTL extends DSL adding temporal operators. Formulae are built as follows: 

4> '■'■= F | F LEADS-TO F | F BECAUSE F' \ F LEADS_TO_C F \ F BECAUSE_C F' \ 
F UNLESS F | INIT F 

where F, F' G DSL. Operator leads_to expresses a liveness condition, and is similar to 
Unity's i— > (leads to): F is surely followed by F'. Operator because expresses a safety condi- 
tion, and says that F must be preceded by F'. 

Suffix c stands for closely, leads_to_c requires formula F' to hold in the distributed states 
in which F holds, or in the next ones. Dually, because_c says that F' must hold in the states 
immediately preceding those satisfying F, or in the same ones. 

Operator unless extends Unity's unless, and init permits to describe the initial state. A 
special case of unless is stability: 

TP de f Z7 I 
STABLE t = t UNLESS _L 



3.1 Semantics 

The models for DSTL formulae are built on structures like the one in the following figure, 
which describes the computation of a system with three components (m, n, o). We call s l m 
the i th state of component m. We call ds° the set of the initial states {s^j, s° , s^}. 



(m) >■ s m - > s% t > s\ 2 



(n) S ° n — - s 2 n — - 4 - 4 : - 4 5 : 



(°) s o - 4 4 



In the figure, plain arrows denote atomic state transitions and communications, dotted arrows 
denote sequences of them. 
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Definition 9. (R, R=, R*) 

State transitions and communications define a next state relation R, where (s, s') £ R 
if and only if s and s' are states of the same component, with s' immediately following 
s, or if there is a communication from s to s'. For example, in the computation above, 
(s^, Sm), (sjn, s n)) ( s n> s n) £ -R- The plain arrows between pairs of states denote relation R. 

We call R = the reflexive closure of R, and R* its reflexive and transitive closure. For ex- 
ample, in the computation above, (s^, s^J, (s^, s~J, (s^, s^), (s^, s^) € i2*. We say that s' 
causally depends on s when (s, s') £ R*. Causal dependency has to be read as the partial or- 
der relationship between states of a distributed computation, defined by state transitions and 
communications |15j . If neither (s, s') £ R* nor (s',s) £ R*, states s and s' are concurrent. 

Definition 10. (Models, <, < c ) 

A model M. is a tuple (-D<S, . . . , <, < c > V), where: 

ds < ds' iff Vs £ ds, 3s' £ ds'. (s, s') £ R* and Vs' £ ds', 3s £ ds. (s, s') £ R* 
ds < c ds' iff Vs £ ds, 3s' £ ds' . (s, s') £ R~ and Vs' £ ds', 3s £ ds. (s, s') £ R~ 

We also ask that the valuation function V : DS — > 2 P satisfies F(ds) = flseds 

Definition 11. (Semantics) 

Let .M be a model, and ds° the set of its initial states. We define: 



M \=T 


F 




iff 


Vds. ds\=F 




M \=T 


F 


LEADS-TO F' 


iff 


Vds. ds \= F implies 


3 ds' > ds. ds' |= F' 


M \=T 


F 


BECAUSE F' 


iff 


Vds. ds \= F implies 


3 ds' < ds. ds' |= F' 


M \=T 


F 


LEADS_TO_C F 


iff 


Vds. ds \= F implies 


3 ds' > c ds. ds' H ^' 


M \=T 


F 


BECAUSE.C F' 


iff 


Vds. ds \= F implies 


3 ds' < c ds. ds' H F 7 


M \=T 


F 


UNLESS F' 


iff 


Vds. ds \= F implies 


3ds' > c ds. 










(ds' ^ ds A ds' \= F) V ds' |= F' 


M \=T 


INIT F 


iff 


ds° \= F 





where ^ is the DSL satisfiability relation. 

The next section discusses this definition using some examples. In particular, the side 
condition ds' 2 ds for unless is illustrated in Example 1151 

3.2 Examples 

To exemplify the definition of the DSTL semantics, we choose some formulae and discuss 
whether they are satisfied or not by a model A4 (a computation of a system made up of 
two components, m and n). In the examples we can only present the initial fragments, the 
discussion on satisfiability is done with respect to the given fragment. From now on, we label 
the states with the predicates holding in them instead of a name. 

We recall that, according to the definition in Section |5J a distributed state is any set 
of states. This means that when we have to check a condition like Vds . . . 3ds' . . ., we need 
to consider all possible sets of states as ds. This may lead to counter- intuitive choices, like 
picture (c) of Table 13.21 to reason on the first formula of Example El We consider these 
choices in the examples to clarify the semantic details. However, the specifier can be safely 
guided by the natural interpretation of the operators. Anyhow, our definition of distributed 
state is exactly what was needed to overcome the problems with the existing models, as 
discussed in the introduction. 
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(m) 
(n) 



(m) 
(n) 



(rn) 
(n) 



(rn) 
(n) 



P 5- q > r - '•■ - I — 5- z - z ■> 

p, t — *- u — s- v > P, u >. fw, t) >• t ■>■ 



■■-J r J - »• : I — - z •- z - 



p, t u v. >■ (p/u) •• "' / •• / ■ 



p s- q - r - »■ - | — - TH 



p, t — - a — - v - (p/y - w, t - t ■ 



P ) — q > r 

p, t — u ~^^} 



z ■>■ z ■>- 



>■ p, u ■> w, t s- t ■>■ 



/' *4 '/ ) - r - u, z — _ z ■> 

p,t u 3171 - /'• " >-{w,t) - / - 



p, t u ■ 



■ s- r >- u, z — z ■>- z ■>■ 

- P,u >. / - t ■>■ 



(a) 



(b) 



(c) 



(d) 



(e) 



(/) 



P q - r •• u, z — - z •- z - 

p, I — - u — - v > P, u | >- (w, V. - t v- 



(5) 



(m) 
(n) 




(h) 



Table 1. We provide various representations of a computation, to outline the distributed 
states of interest for the examples. 
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Example 12. (Invariants.) We consider, as model A4, the computation in Table 13,21 We 
refer to picture (a), and call s and s' the states outlined by the circle and the rectangle, 
respectively. We show that w — ► t, n(w — * t), and nT — > n(u> — > t) are invariants of the 
computation, while n(w — > t) is not invariant. 

M \=t w —* t. This formula reads: in any distributed state of the computation, w — > t holds. 
State s is the only one satisfying w. Take ds = {s}, then ds \= wAt, and thus ds \= w — > t. 
For any distributed state ds' ^ ds we have that ds' \/= w (even though s S ds'), and thus 
ds' |= w — ► i. 

.M |=t n(w — > i). This formula reads: in any distributed state w — > i holds in all the states 
of n, or, in short, u; — > f holds in any state of n. 

We have to show that for all ds, ds \= n(w — > t), that is for all s n € dsnS n , {s n } \= w — > t. 

This, in turn, holds since {s} \= w A t, and for all s n ^ s, {s n } \£ w. By the way, this 

result follows by Nec from the previous one. 
A4 \=t nT — > n(iu — > t). This formula reads: in any distributed state of the computation 

that contains at least one state of n, there is a state of n where w — > t holds. 

Any distributed state ds satisfying the premise nT includes a state in S n , and all states 

in S n satisfy w — > t. So ds (= n(w — > t). 
•M y=T n (w —* t). The formula reads: in any distributed state of the computation, there is a 

state of n where w — > t holds, and it is false in M. 

For A4 \=t n(w — > t) to be true, we would need that for all ds, ds \= r\(w — > t), which 
is true only if a state s n € ds n S" n exists, and satisfies (to — > t). However, there are 
distributed states not including any state s n G S n , e.g. {s'}. In the practice, formulae 
like mF are used only as subformulae of larger formulae, e.g. as premises and conclusions 
of an implication. 

Example 13. (Temporal operators.) In the example, we refer to pictures (b)-(h) in Table 13721 
The distributed state ds satisfying the premise is the set of states outlined with a circle, 
and the distributed state ds' satisfying the consequence is the set of states outlined with a 
rectangle. 

A4 \=t nu leads-to mil. It is enough to consider those distributed states that contain the 
last state of n where u holds. Pictures (b) and (c) show two relevant cases: in the second 
case we need to consider a larger distributed state to evaluate the consequence, just to 
satisfy the "follows" relation. 

Picture (c) also shows that DSTL overcomes the problems discussed at point 3 in the 

introduction: a distributed state satisfying the consequence and following ds exists. 
M. |= mp A nv leads_to mzAnL See picture (d): the distributed state satisfying mp A nv is 

followed by a distributed state satisfying mz A ni. 
M. \= mq leads-to nv. See picture (e): the distributed state satisfying the premise includes 

states which are irrelevant with respect to property mq, for them we only need to check 

that the "follows" relation is satisfied. The state satisfying z belongs both to ds and ds' . 
Ai \= mp A nv leads_to_c mq. See picture (f): the state where q holds immediately follows 

the one satisfying p. Then any state equal or immediately following the one satisfying v is 

fine to build the distributed state satisfying the consequence, and the "closely" relation. 
M. \= nw because np A nu. Here it is enough to consider those distributed states that contain 

the first state of n where w holds. Then, in the example model, we show two distributed 

states that satisfy the consequence: see pictures (g) and (h). 
M. |= nw because n(pAu). See picture (g). Note that we need a singleton state satisfying 

both p and q. Hence, in this case, the distributed state ds' in picture (h) does not satisfy 

the consequence. 
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Table 2. We provide a pair of representations of a computation, to outline the distributed 
states of interest for example 1141 



Example 14- (unless formulae.) We consider, as a model, the computation in Table EOl 

Ai \= np unless ni. See picture (i): we take singleton sets for ds and ds', and outline with a 
sequence of circles the sequence of distributed states satisfying the formula premise, and 
use a rectangle to outline the distributed state satisfying the formula consequence. 

M \= p unless qV t. The sequence of distributed states in picture (i) provides a first demon- 
stration. We also consider, in picture (1), the distributed states in the sequence to be 
pairs of states: each distributed state is made of the two states related by a dotted line, 
circles outline the states satisfying the formula premise, rectangles the states satisfying 
the formula consequence. For instance, the initial state is the first distributed state we 
consider, followed by the set {first state of m, second state of n}, and so on. 



Example 15. (ds' 2 ds in the definition of the semantics of unless.) Assume we did not 
require condition ds' ^ ds in the definition of the semantics of unless, then the following 
computation would have been a model for np unless r\q, in discrepancy with the intended 
meaning for unless. We consider the sequence ds, ds' , ds" , ds'", ... of distributed states, 
where ds contains the first state of component n, ds' contains the first two states of component 
n, ds" contains the first three, and so on: all these distributed states satisfy np. 

(m) P '/• z ~ r, z - a. z — - z •- z - 



(n) p, t - — - a v '' •- 1 - / - 

:' \K " t vis'" " 

ds \ As" 

'ds'' 

Example 16. (stable.) The following computation is a model for stable p. 

(in) P -/'•••••••••^ - '•• • a- - — >-z - 

(n) p, t — - it, p — - v,p - p, u a- p. u\ I - p, t •••• 

Notice that, unlike in Unity, p is not an invariant of the computation, even though init p 
and stable p hold. In the next section, we provide the correct derivation rule (SE) that can 
be used in DSTL. 
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3.3 Axioms and Rules 

We present the most useful axioms and rules of the logic. Among them, temporal operators 
introduction, strengthening of premises and weakening of consequences, transitivity. 

Necessitation. First, we observe that the definition for A4 \=t F entails that a necessitation 
rule holds (we use \~t for the sake of comprehension). 

I- F 

Nec 



h T F 



Operators introduction and elimination. Rules and axioms Lcl, Bel, LI, BI, UI, Inl, 

SI introduce leads_to_c, because.c, leads_to, because, unless, init, stable respectively. Rule 
SE eliminates stable. 

F LEADS_TO_C G F BECAUSE.C G 

Lcl: F leads_to_C F Bel: F because.c F LI BI 

F LEADS-TO G F BECAUSE G 



F F INIT mF STABLE mF 

UI: F unless F Inl SI SE 

INIT F STABLE F mF 

Transitivity. LTR and BTR are the rules for leads_to and because transitivity. 

F LEADS-TO F' F' LEADS-TO G F BECAUSE F' F' BECAUSE G 

LTR BTR 

F LEADS-TO G F BECAUSE G 

No transitivity rule holds for leads_to_c and because.c In the case of unless, there is a weaker 
result (a weak form of the rule called cancellation in 

mF unless mF' mF' unless mG 

UC 

mF V mF' UNLESS mG 

Premises and consequences strengthening and weakening. *SW permits the strength- 
ening of the premise, and the weakening of the consequences, and *PD and *CC stay for 
premise disjunction and consequence conjunction, respectively. Actual rules LSW, LPD and 
LCC are obtained by substituting op with leads_to. Similarly, BSW, BPD, and BCC are 
obtained by substituting op with because; LcSW, LcPD, and LcCC are obtained by substi- 
tuting op with leads_to_c; BcSW, BcPD, and BcCC are obtained by substituting op with 

BECAUSE.C 

G -> F F op F' F' -> G' F op G F' op G G op F G op F' 

*SW *PD *CC 

G op G' F V F' op G G op F A F' 

In the case of unless and init: 

F UNLESS F' F' -> G F unless F' G unless G' init F F -> G 
UCW UD IW 

F UNLESS G F V G UNLESS F' V G' init G 
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Notification. Some future remote assertions can be made on the bases of a message received. 

F BECAUSE G G LEADS_TO mG' STABLE mG' 

Notif 



F A mT leads.to mG' 

Explicit reference to the name m of the component where the remote effect G' takes place, 
and the extra premise mT are needed to guarantee that the state satisfying the consequence 
follows the state satisfying the premise, even in the absence of a communication towards m. 

To help the intuition, we consider an instance of the rule: 

np because mq mq leads_to mr stable mr 



npAmT leads_to mr 

condition p can be established in n only if previously q has held in m. The second and the 
third premises guarantee that if q holds somewhere in m, then eventually r will hold, and 
it will continue holding forever. Thus, for any ds satisfying np A mT we can find a state s m 
of S m , such that {s m } > ds and {s m } \= mr. Conversely, in the absence of communications 
from n to m, if we take a state s n of S n such that {s n } \= np, we cannot find any distributed 
state following {s n } and including a state of S m , as needed to satisfy mr. 

Confluence. The converse of DSL axiom D2 holds, under appropriate stability conditions: 

STABLE IT\F STABLE mF' 

Conf 



mF A mF' -> m(F A F') 



Properties of the initial state. The following rules are a consequence of the fact that the 
initial distributed state ds° contains exactly one state for each component. 

init mF init mF 

II: init mT 12 13 

init mF init mF 

Example 17. (SE) The following computation satisfies init mp and stable mp. 

(m) V /' - /'• r. z ... /'. u. z — - p, z ■>. p, z 

(n) p. I — - // — - ''•/' - ii - ir. I •• / ■>- 

Hence, applying rule SE, we obtain that the computation satisfies mp, i.e. that p is invariantly 
true in component m. 

It is also interesting to discuss why the cancellation rule 

F UNLESS F' F' UNLESS G 



FVF' unless G 

does not hold in general. We consider, as rule premises, mp unless mp A r\q and mp A 
nq unless mr A ns. The following computation is a model of the premises, but not of the 
consequence mp V (mp A nq) unless mr A ns. 

(m) P > /' — - r - a- z — - z •-• z •-• 

(n) p, t — - // - '/ — - s ■>• ir. t - p, t -• 
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Theorems. We introduce two rules we need in the case study of Section [3 They are derived 
by the rules above, as shown in the appendix. 

F LEADS-TO GvG' G leadsjto f' F leadsjto G A G' G leads_to F' 
Corl Cor2 

F LEADS-TO F' V G' F LEADS-TO F' A G' 

Correctness and completeness. The soundness of the DSTL proof system can be imme- 
diately proved applying Def. 1111 In the appendix we provide the proof of the most complex 
rules, namely Notif and Conf. 

Unfortunately, the proof system is not complete. Let us consider a system satisfying ifijp, 
for all i. The system also satisfies p, as a consequence of the property V(ds) = C\ s£ds V({s}), 
but we cannot find a general rule to derive it. Indeed, the rule 

fhiF rh 2 F . . . fh k F 
F 

is not correct. It holds for F = p, or F = p A q, but not, for instance, for F = p V q. In fact, 
consider a very simple system composed of a unique component m, with states so, s\, S2 ■ ■ ., 
and p G V(sq), q G V(si), q G V(s2), • • •• All distributed states satisfy m(pV q), while the 
distributed states including so do not satisfy p\/q. Take ds = {so, si}, we have that ds \= p\Jq 
iff ds |= p or ds (= q, iff p G V(ds) or q G V(ds), iff p G V(s ) (1 V(s\) or q G V(so) n F(si). 
Hence, since V(sq) n V(si) = 0, we have that c?s ^pVg. 

Thus, a complete proof system, if any, would likely be unmanageable, and we do not 
pursue the issue further. On the other side, the consequence of relaxing the constraint on 
the valuation function, would be as unpractical as explicitly specifying the truth value of all 
predicated on all distributed states. 

4 An Example: Private Keys 

Consider the system {6, t,u}, where b is a component that broadcasts the encrypted version 
of a message to all the other components in the system, i.e. t (trusted) and u (untrusted). 
We assume that these components try to decrypt the message. We represent with predicate 
p the fact that the message is readable, and with predicate dep the fact that a decryption 
has been attempted. However, the decryption yields p if and only if the key is held. Predicate 
key represents the property of holding the key. 

4.1 Reasoning on distributed states: DSL 

The properties of the distributed states of the system are described by the following DSL 
formulae: 

(~ bT) -> ((key A dep) <-> p) (7) 
tkey (8) 
u ~ key (9) 

Formula tells that in all components, with the exception of b, p and dep are equivalent 
only if the key is held. Indeed, if (JJJ) holds, as required, in all ds G DS, it holds in particular 
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in all ds which are singleton sets. So, it holds for all {st} and {s u }. Since in these states the 
premise of Q is satisfied, so it is the conclusion, i.e. in all states of t and u: (key A dep) <-> p. 
We derive the property for t: 



(~ bT) — > ((key A dep) <-> p) t bi_ 
Nec, K 



t(~ bT) -> t((key A dep) <-> p) t(~ bT) 

MP 

t((key A dep) <-» p) 

Component t holds the key (jHJ), while component u does not 0. We derive that t is able 
to correctly decrypt the message. We pick one of the implications, i.e. (key A dep) — > p and 
prove that t (ciep — ► p) (the top leftmost formula is a tautology of the propositional calculus): 

((key A dep) — » p) — > (fcey — > (dep — > p)) t((key A dep) <-> p) 
Nec, K, MP 

t (fcey — » (dep — » p)) 

K 

t feey — > t (dep — > p) t key 

MP 

t (dep — > p) 

We now consider component u and prove that u ~ p holds, i.e. that the untrusted component 
is not able to read the message. We consider the implication p — > (key Adep) (the top leftmost 
formula is a tautology of the propositional calculus): 



(p — > (key A dep)) — > (~ fcey — >~ p) u ((feej/ A dep) «-» p) 



u (~ fcey p) 



u ~ fcey 



K,MP 



u ~ p 



4.2 Reasoning on distributed computations: DSTL 

We now add some constraints on the temporal behaviour of the private keys system: as soon 
as the message is readable in b, b broadcasts its encrypted version (|1U|): t and u try to decrypt 



the message (fTTl IT2|) . 

bp leads_to tepAuep (10) 

tep leads_to tdep (11) 

u ep leadsjto u dep (12) 



To prove that u will not correctly decrypt the message, we need to prove that u ~ p. 
This is immediately obtained by applying Nec to the corresponding DSL formula derived 
m Section EJ We prove that bp leads.to tp. We exploit the conclusion of Section 14.11 
t (dep — > p) 

bp LEADSJTO tepAuep (t ep A u ep) — > t ep 

LSW 

bp LEADSJTO tep tep LEADSJTO tdep t (dep — > p) 

LTR D3 

bp LEADSJTO tdep tdep— » tp 
LSW 



bp LEADSJTO tp 
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5 An Example: Leader Election 

The leader election problem is a typical example of distributed consensus. It is well known 
that in an asynchronous setting, no algorithm can guarantee that a distributed consensus is 
reached (see, for instance |26j). The solution we discuss here leads to the election of a leader, 
or to the agreement that no leader has been chosen, in this case a new election round can 
take place. 

Initially all the k participants are eligible. They toss a coin: those who get head are no 
longer eligible and acknowledge the other participants; those who get tail toss the coin again. 
The election round ends when either only one participant is still eligible and becomes the 
leader, or nobody is eligible. 

Predicate e\ says that participant i is still eligible: initially all participants agree that they 
are all eligible; each participant falsify his when acknowledged that participant i got a 
head. 

In the following we list the local properties satisfied by each participant and derive the 
global property of the proposed solution: eventually all participants agree that either nobody 
is eligible, i.e. ~ ej holds for all i and for all participants, or only one participant is still 
eligible, i.e. there exists a j such that for all participants ej holds while is false for all 
k 7^ j. Formally: 

nrijT leads_to /\ m iA~ e -?' V V A 171 ^ A A ~ efc ) 

i i j j i k^j 

In the case of two participants: 

rri]_T A rr^T leads.to m^(~ e\f\ ~ e2) A rri2(~ eiA ~ e^) 

V m^(eiA ~ e2) A rri2(eiA ~ e2) 

V m^(e2A ~ ei) A rri2(e2A ~ ei) 

The local properties follow. 

1. Fairness of the toss up: nobody can spin the coin infinite times and nether get a head. 
So, either a participant eventually stops spinning the coin or he gets a head. For all i: 

rri[T leads_to rrij (stop V h) 

2. Participant i stops if and only if the other participants are no longer eligible: 

m\{stop <-> /\ ~ ej) 

3. When participant i gets a head, he sends an ack to all participants, who declare i non 
eligible. 

rrij/i leads-to ^ rrij ~ ej 

j 

4. A participant can be declared non eligible only if he got a head: 

m j ~ ej because mj/i 

5. Initially all participants are eligible. 

init ^ m i(A ~ ^ 

i j 



(no leader elected) 
(e% elected) 
{e.2 elected) 
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6. Non eligibility is stable: 



stable m j ~ ej 



We prove that the global property holds in the case of two participants. The proofs for the 
other cases are similar. In the first step of the proof, we exploit properties 1 and 2: 

m^T LEADSJTO m^(stop V h) mi(stop e2) 
D7 D3 



m^T LEADSJTO m-^stopy mj/i m^stop «-» ~ ei 

LSW 

m^T LEADSJTO m^/i V mj ~ e2 

The same holds for rr^- We apply LSW and LCC and obtain: 

rri]_T A rr^T leadsjto m^/iArr^/i (13) 

V m]_/iAiri2~ei (14) 

V rri]_ ~ e 2 a m^h (15) 

V rri]_ ~ C2 A rri2 ~ &\ (16) 

In the remaining part of the section we prove that: 

()13jl leadsjto m]_(~ eiA ~ e2) A rri2(~ eiA ~ e2) (no leader elected) 
(HP) leadsjto rri]_(~' ei A e2) A rri2(~ ei A e2) 

V m^(~ eiA ~ e2) A nri2 (~ eiA ~ &-z) {e-2 elected or no leader) 
(|15|) leadsjto m-j_(eiA ~ e2) A rri2(eiA ~ e2) 

V m (~ eiA ~ e%) A rri2 (~ eiA ~ e2) (ei elected or no leader) 
(|16|) leadsjto rri]_(~ eiA ~ e2) A rri2 (~ eiA ~ e<i) (no leader elected) 

So, we can apply Corl and conclude. 

Proof of (j!3|) leadsjto no leader elected 

We exploit hypothesis 3: 

m^/i A rr^/i leadsjto m-j_ ~ e± A rri2 ~ &\ A m-^ ~ e2 A rri2 ~ &2 

We apply Conf: 

STABLE ~ ei STABLE ~ e2 

mj ~eiAmj ~C2 — » m^(~ eiA ~ ea) 
A similar implication holds for rri2, hence: 

m^/iAm2/i leads_to mj_(~ eiA ~ e<z) A rri2(~ eiA ~ e2) 



Proof of (fl4*|) leadsjto e2 elected or no leader elected (the case for (fTo|) is symmetric). 

We exploit again hypothesis 3 and obtain, using Cor2, that: 

m^/i A rri2 ~ &\ leads_to ~ e\ A rri2 ~ e\ 
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Now, since we don't know anything on the truth of e%, we need to consider all the possibilities: 



mi ~ ei A rri2 ~ e\ <^ m l(~ e i A e%) A rri2(~ ei A 62) (17) 

Vrri]_(~ eiA ~ ei) A rri2(~ ei A ei) (18) 

Vrri]_(~ ei A ei) A nri2 (~ eiA ~ ei) (19) 

Vrri]_(~ eiA ~ ei) A rri2(~ eiA ~ e-i) (20) 



In case (|17p an agreement is reached that ei is the leader. In case (|20|) the participants agree 
that no leader has been elected. The other two cases are symmetric: we consider case ()18|) 
and show that it leads to a state where no leader has been elected. We first show that a state 
is reached where participant 2 agrees that he cannot be the leader: 

m-L ~ e 2 BECAUSE rr^/i 
BSW 

m^(~ eiA ~ 62) BECAUSE rr^/i rr^/i leads_to rri2 ~ e 2 stable m2 ~ e 2 

Notif 

mj(~ eiA ~ e-z) A leads_to rri2 ~ e 2 

LSW 

mi(~ eiA ~ e 2 ) A rri2 (~ ei A e 2 ) leads_to m2 ~ e 2 

where the last step (LSW) exploits the following implication: 

~ ei A e 2 — + T 

Nec,D3 

m 2 (~ ei A e2) — > rri2T 

We carry on some calculation: 

mi(~ eiA ~ e 2 ) A rri2(~ e.\ A e 2 ) leads_to m2 ~ e 2 

LCC(F leads.to F) 

eiA ~ e 2 ) A 1x12 (~ ei A e 2 ) leads_to m^(~ eiA ~ e 2 ) A rri2 (~ ei A e 2 ) A rri2 ~ e 2 

L>2, LSW{twice) 

m^(~ eiA ~ e 2 ) A rri2(~ ei A e 2 ) leads_to m^(~ eiA ~ e 2 ) A rri2 ~ ei A m2 ~ e 2 

We now apply Conf and conclude: 

rri]_(~ eiA ~ ei) A rri2 (~ e\ A ei) leads.to m ^ (~ e\l\ ~ ei) A rri2 (~ e\t\ ~ 62) 

Proof of Q16|) leads.to no leader elected 

We apply the proof schema above (Notif and then Conf) twice and conclude. 
6 Discussion and Related Work 

The semantic domain of DSL. The choice of I s as a semantic domain of the distributed 
state logic formulae, and the non-equivalence between m {F A F) and imFAmF' are useful 
to specify that a given condition can have different future effects, without constraining them 
to occur in the same state. Similarly, we can express complex preconditions in a temporal 
formula. For instance, assume we want to specify and reason on the delivery of credit cards 
to customers. The bank, for security reasons, sends the card and the code separately. Once 
the customer has got both of them, he is allowed to withdraw money from an ATM machine: 

banknew-card leads.to user receive-card A user receive-code (21) 
user can -withdraw because user receive jcard A user receive-code (22) 
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The equivalence between m (F A F) and m F Am F' would have required the following spec- 
ification, somewhat less intuitive: 

bank new -card leads_to user receive-card (23) 

bank new -card leads_to user receive-code (24) 

user can _withdraw because user receive jcard (25) 

user can ..withdraw because user receive-code (26) 

since (|21|) . (|22|) would be too restrictive, asking for card and code to be received at the same 
time. 

Last, but not least, with an eye to a I s * order extension, a formula like 1)21 J) makes it 
easier to bind variables in card and code than with the unrelated formulae ()23)) . 1)241) . 



Classical Logic. Another point of discussion is why we need a modality (m) rather than a 
distinguished propositional symbol here m , to replace systematically each sub-formula mF 
with here m A F. One motivation is that we do not want the equivalence between m(FA F') 
and rr\ F Am F' , as discussed previously. On the contrary, the two translations here m A F A F' 
and here m A F A here m A F' would be equivalent. 

More importantly, (mF A nF') leads_to oG would be translated in a formula with a false 
premise, namely (here m A F A here n A F') leads.to (here a A G). 

Hybrid Logic. Hybrid logic allows the specifier to directly refer to specific points (states) 
in the model, through the use of nominals pQ. A nominal i is an atom which is true at 
exactly one point in any model. The operator @j permits to jump to the point named by 
nominal i. We might consider defining an hybrid signature including distinguished sets of 
state variables, one for each component, and translate mF in 3x. @ X F, where x is a state 
variable in the appropriate set. Likely, the resulting setting would be more complex than 
that offered by DSTL. 



Metric and Layered Temporal Logic. Some similarities can be found between our lo- 
cation operator and the MLTL operators defined in |2L)| . that make it possible to compose 
formulae associated with different time granularities and to switch from one granularity to 
another. Time instants are organized in temporal domains, and the set of temporal domains 
is totally ordered with respect to the coarseness of the domain elements. To look for an 
embedding of DSTL, we can consider three domains: system, with a unique element; com- 
ponents, whose elements are the components mi, . . . , m^; states, the domain of the states. 
Then the formulae are translated using an appropriate combination of MLTL operators. For 
instance, the translation of m F should be (> /\^ m v onents 3aA^ ates F. Since the full expres- 
sive power of MLTL is likely not needed, the simpler framework of DSTL is of pragmatical 
interest. 



Other logics for distributed systems. Various extensions of temporal logic have been 
defined in the literature to deal with distributed systems. 

In TTL )18) . for each local state of the system, a visibility function specifies which remote 
information is accessible. The visibility function is defined on the basis of a relation among 
states which is symmetric in the case of states belonging to distinguished components. 

A trace based extension of linear time temporal logic, called TrPTL, has been defined in 
jnO] (see also (SB)- The logic has been designed to be interpreted over infinite traces, i.e., 
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labelled partial orders of actions, which respect some dependence relations associated to the 
alphabet of actions. 

In ^3], a temporal logic, StepTL, is defined and interpreted over multistep transition 
systems. These are a well known extension of transition systems, permitting to describe as 
concurrent the steps of computation that can actually be executed in parallel. A multistep 
transition system thus contains transitions of the form sAs', where A is a set of actions, 
instead of a single one. 

Three distinguished logics are presented in [2S] to describe systems composed of sets of 
communicating agents. The logics differentiate on the amount of information each agent can 
have on the other agents running on the system, but share a common setting: agents commu- 
nicate via common actions. The models for these logics are runs of networks of synchronizing 
automata. The logics Do and Di presented in jS] are based on a similar approach. 

In all these proposals, components communicate via some form of synchronization, and 
logic formulae are interpreted on models shaping: 

(m) - a b - c ■> 

t 

(n) d - e •-• / - 

Therefore, in any logic defined over these models, it is not possible to express the asymmetric 
nature of causality we are interested in when modelling the behaviour of agents communi- 
cating asynchronously by message passing. Indeed, in the previous model we can both assert 
that a leads-to / and that d leads.to c. 

A logic closer to DSTL is proposed in ^S], where a branching time temporal logic for 
asynchronously communicating sequential agents (ACSAs) is defined. ACSAs communicate 
asynchronously via message passing. The logic contains temporal modalities indexed with 
a local point of view of one agent and allows an agent "i" to refer to local properties of 
another agent "j" according to the latest message received: an agent can gain information 
about another agent by receiving messages but not by sending them. We allow agents to 
make remote future assertions: therefore it is easier to express global liveness properties. 

Knowledge Logic. A logic to reason on asynchronous message passing systems is proposed 
in [Jj. The language used, C%, is obtained by extending their language of knowledge with 
the modal operators U and O. Formulae in £^ permit to express how the n agents in a 
system gain knowledge over time. A set of characteristic formulae valid in the logic are 
presented, but a sound and complete axiom system is not defined. The authors focus their 
attention on systems based un-reliable communications, while only state that properties of 
reliable communications can be expressed. A major difference with our work relies on the 
models used to interpret formulae. Even if the knowledge of the agents is limited to their 
current local histories, i.e. sequences of messages sent or received and of internal actions, 
interpretation structures are based on global time and state. 

Partial Order Temporal Logics. Partial Order Temporal Logics (POTL) [2H permits 
to deal with the causal relationships between the events of a set of processes executing 
concurrently. The Interleaving Set Temporal Logic (ISTL) ^2] extends POTL with features 
form linear temporal logic and branching temporal logic. The Kripke structures for both 
logics are very different from the one defined in this paper. 

We are addressing a specific class of systems that we consider very relevant nowadays, 
that is distributed systems with asynchronous message passing. These systems have a few 
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notable characteristics: there is no global state, and interactions among components occur 
only via messages. As a consequence, a specification is essentially devoted to describing 
the causal relationships among the components. We think that these characteristics are 
so important that the designer working on a specification will greatly benefit if they are 
naturally embedded in the basic model he is using. Hence, the investigation in Kripke's 
structures presented in this paper. 

Logics for Mobile Systems. Often mobile systems are specified using a process calculus 
with primitives for mobility, and some logics have been defined, tailored for these calculi. 
This is the case, for instance, of the Ambient Logic studied for the Ambient Calculus [3], 
the logic for Klaim , and the Spatial Logic for Concurrency |2j , whose underlying compu- 
tational model is the asynchronous 7r-calculus. These logics include modalities for describing 
the evolution over time and the location of the system processes. They are inspired by the 
Hennessy-Milner logic: they are conceived for model checking rather than for specifying and 
reasoning on the system properties. 

In particular, the Spatial Logic for Concurrency can express properties of freshness, se- 
crecy, structure, and behavior of concurrent systems. Spatial operations correspond to com- 
position, local name restriction, and a primitive fresh name quantifier. The logical treatment 
of the notion of freshness can prove useful in extending DSTL to reason on the dynamic 
creation of components. 

A linear-time logic for specifying mobile systems is MTLA ^S], which extends Lamport's 
Temporal Logic of Actions with spatial modalities to deal with mobile systems. The main 
difference with DSTL is that a synchronous computational model is assumed. 

Oikos adtl. The work reported here stems from our experience with Oikos-adi/, a speci- 
fication language for distributed systems based on asynchronous communications, designed 
to support the composition of specifications [23]. Oikos-adtl is intended to give designers a 
language to express the properties of interest in a natural way, and it is associated with a 
refinement method which supports the gradual introduction of details, as design proceeds. 
It has been used to specify software architectures and patterns [2^ an d to analyse security 
issues in mobile systems jl 11918) . It is supported by a proof assistant, Mark ^U|, that deploys 
a number of proof strategies that partially automate property verification. 

Coming back to our motivating example in the introduction, in Oikos-adi/ it is possible 
to weaken the consequences of a formula like (^Q) including operator leads_to, but the rule 
shapes 

m p leads.to n q A o r 
m p leads_to n q 

since a formula like (J2J) is not part of the logic. So, the price is writing one rule for each 
possible weakening relation. 

7 Conclusions 

To reason on global applications, we have introduced the temporal logic DSTL. Models for 
DSTL are space-time diagrams describing the behaviour of a set of components communi- 
cating asynchronously. The logic has been introduced in two steps. First, we have defined 
DSL, a modal logic for localities that embeds the theories describing the local states of each 
component into a theory of the distributed states of the system. No notion of time or state 
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transition is present at this stage. To support reasoning in the logic, we have presented a 
sound and complete axiom system. Then, we have added the temporal operators, and the cor- 
responding derivation rules. The contribution is that it is possible to reason about properties 
that involve several components, even in the absence of a global clock, which is a meaningless 
notion in an asynchronous setting. The logic has been used to reason on the properties of a 
simple secure communication system and on an algorithm for the leader election. 

Future work includes the extension of DSTL to predicate logic, the introduction of an 
event operator, the study of compositionality results, and a revision of the theorem prover 
Mark. We foresee that formulae in the I s * order extension will shape mp(x) leads.to n q(x, y), 
and be interpreted as \/x.[mp(x) leads.to Ely. n q(x, y)\. This way, the semantics should 
smoothly extend that of DSTL. Compositionality results will permit to derive the prop- 
erties satisfied by a system from the properties satisfied by its components when executed in 
isolation. This requires reasoning on the possible interferences due to communications from 
the added components. 
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Appendix 

Proofs from Section 12.21 

Axiom 4 

m(mF <- F) 

K 

mmF <— mF 



Dl 

rh(m ~ F F) 

F 

mm ~ F «-» m ~ F 



~ m m ~~ F m ~~ F 



~ mmF mF 



mF <-> mmF 



D2 We show that m(F A F') -> mF, m(F A F') — > mF' is proved analogously. 

FAF' -> F 



~ (F A F') < F 

iVec 

m(~ (FAF') <-~F) 

F 

m ~ (F A F') <- m ~ F 

~ m (F A F') <— ~ m ~~ F 

m(FAF') -» mF 



D3 

(F -» F') -► (~ F' ->~ F) 

Nec, K 

m(F^F') m(F -> F') -> m(~ F' ->~ F) 
MP 



m(~ F' 


^~ F) 


rh ~ F' - 


+ m ~ F 


~ mF' - 


->~ mF 



PC 

mF -> mF' 

D5 

m(m ~ F F) 
m (~ m ~~ F F) 
m(mF «-> F) 
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D6 For A = F^F',B = F'^ F", and C = F -» F" 



AV~BVC 



A (B C) 

■ Nec, K 



mA -> m(B -> C) 

K 

mA -f (mB -f rhC) 

~ mAV ~ mB V mC 

~ (mi A mB) V mC 

(mA A mB) -» mC 



D7 We prove m(F V F') -> (mF V mf) on the left, and m(F V F') <- (mF V mF') on the 
right. 

(AAB)^(iA B) 



~ AV ~ B V (A A B) 
A^ (B -> (A A B)) 



JVec, X 



mA m(B -> (AAB)) 

■if 



mA — > (mB — > m(A A B)) F->(FVF') F'->(FVF') 

Nec Nec 

~ mAV ~ mB V m(A A B) m(F -t(FV F')) F>3 m(F' -t(BV F')) F>3 

■ MP MP 



(mA A mB) V m(A A B) mF — > m(F V F') mF'^m(FVF') 



(mA A mB) — * rh(A A B) (mF V mF') -> m(F V F') 



(~ m ~ Af\ ~ m ~ B) — »~ m~(iAB) 

~(iti~iVm~B) ->~ m(~ AV ~ B) 

(m~4Vm~B)f- m(~ Av ~ B) F =r ^ A 

F' =~ B 



m(F VF') -» (mF V mF') 

D8 If we prove m((mF A mF') -► (FAF')) and m((FAF') -► m(FAF')) then we can apply 
D6 and conclude. The second formula is an instance of D5, we prove the first one: 

(mF -f F A mF' -> F') -» (mF A mF' -» FA F') 

■ A^ec, K 



m(mF -> F A mF' -» F') -> m(mF A mF' -> F A F') 
D5 D7 



m(mF -> F) A m(mF' -> F') (mF A mF') -> m(F A F 1 ) 

MP 

m(mF -> F A mF' -> F') 

MF, with the conclusions of the previous derivation 

m(mF A mF' -> F A F') 
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Proof of the Notification Rule 

F BECAUSE G G LEADS-TO mG' STABLE mG' 

Notif 

F A mT LEADS.TO mG' 

Let ds be a distributed state satisfying F A mT, we have that: 

ds \= F A mT => ds \= F 

3ds' < (is. <is' |= G (sinceF because G) 

=>• 3ds" > ds'. <is" |= mG' (sinceG leads.to mG') 

Summing up, Vds |= F 3ds" \= mG'. 

Now, ds" \= mG' implies that 3s <G ds"P\S m with {s} |= mG'. Stability of mG' guarantees 
that for any state s' G SVn that follows s, {s'} |= mG'. So, we can build a distributed state 
which follows any ds satisfying F A mT and satisfies mG'. 



Proof of the Confluence Rule 

STABLE mF STABLE mF' 



mF A mF' -> m(F A F 1 ) 



Conf 



Let ds be a distributed state satisfying mF A mF': 

ds \= mF A mF' «4> ds \= mF and ds \= mF' 

<4> 3s G (is n S m . {s} \= F and 3s' G ds n 5 m . {s'} |= F' 

Let {s} > {s'} (the case {s} < {s'} is symmetric), for the stability of F' we have that also 
{s} satisfies F': 

{s} |= F and {s} |= F' ^ {s} |= F A F' 

-^ds |= m(F AF') 

Proof of Corl and Cor2 



G LEADS-TO F' F' -f F' V G' G' LEADS-TO G' G' -» F' V G' 

LSW LSW 

G LEADS_TO F' V G' G' leads_to F' V G' 
LPD 

F LEADS_TO G V G' G V G' LEADS.TO F' V G' 

LTR 

F LEADS-TO F' V G' 



F LEADS.TO GAG' GAG'^G 

LSW 

F LEADSJTO G G LEADS_TO F' F LEADS_TO G A G' GAG'^G' 

LTR LSW 

F LEADS.TO F' F LEADS_TO G' 

LCC 



